The damage is done. New York’s biggest public health provider admits hackers were inside its system for months. Stealing data. Taking fingerprints. The count stands at 1.8 million affected people.
NYCHHC handles healthcare for over a million city residents. Mostly uninsured folks or those on Medicaid. The network reported the intrusion to the Department of Health and Human Services. It makes this one of the largest medical data thefts this year.
Healthcare targets are soft spots for cybercriminals. They want billing info. They want identities. Money drives it all.
Here is what happened
Detected February 2. That was when NYCHHC saw the attack and locked down the network. But the access started long before that.
From November 2024 until February 2025, hackers moved through the systems. Copied files. Lay low.
A third-party vendor left the door open. NYCHHC won’t say which one.
What’s missing
The data taken varies per patient. Some got hit harder than others.
* Medical records, including diagnoses, meds, tests.
* Billing and claims details.
* Social Security numbers. Driver’s licenses. Passports.
* Geolocation data. Yes. Even the exact spot where someone uploaded an ID photo.
Then there’s the biometrics.
Fingerprints. Palm prints. These don’t change. You can’t reset them like a password. NYCHHC didn’t explain why patient biometrics were stored in the first place. Employee checks use fingerprints sure, but did patients opt-in? Nobody knows if their biometrics were specifically targeted or just swept up.
Silence at the top
The NYCHHC website went offline briefly. Monday morning. When TechCrunch emailed with questions, radio silence.
Why take months to notice the breach?
Did hackers send a ransom demand?
No word from the spokesperson. Email servers might even be down. Hard to verify.
Not this one again
Earlier this year, a separate breach at NADAP (National Association on Drug Abuse Problems) took data from 5,000+ NYCHHC patients. Don’t mix this up with that incident. They’re unrelated.
One question lingers. With geolocation and permanent biometric data out in the wild, what’s actually left to hide?
